<p>Users often connect to web servers through HTTP proxies.</p>
<p>Proxy can be configured to forward the client IP address via the <code>X-Forwarded-For</code> or <code>Forwarded</code> HTTP headers.</p>
<p>IP address is a personal information which can identify a single user and thus impact his privacy.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The web application uses reverse proxies or similar but doesn’t need to know the IP address of the user. </li>
</ul>
<p>There is a risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>User IP address should not be forwarded unless the application needs it, as part of an authentication, authorization scheme or log management for
examples.</p>
<h2>Sensitive Code Example</h2>
<p><a href="https://github.com/http-party/node-http-proxy">node-http-proxy</a></p>
<pre>
var httpProxy = require('http-proxy');

httpProxy.createProxyServer({target:'http://localhost:9000', xfwd:true}) // Noncompliant
  .listen(8000);
</pre>
<p><a href="https://github.com/chimurai/http-proxy-middleware">http-proxy-middleware</a></p>
<pre>
var express = require('express');

const { createProxyMiddleware } = require('http-proxy-middleware');

const app = express();

app.use('/proxy', createProxyMiddleware({ target: 'http://localhost:9000', changeOrigin: true, xfwd: true })); // Noncompliant
app.listen(3000);
</pre>
<h2>Compliant Solution</h2>
<p><a href="https://github.com/http-party/node-http-proxy">node-http-proxy</a></p>
<pre>
var httpProxy = require('http-proxy');

// By default xfwd option is false
httpProxy.createProxyServer({target:'http://localhost:9000'}) // Compliant
  .listen(8000);
</pre>
<p><a href="https://github.com/chimurai/http-proxy-middleware">http-proxy-middleware</a></p>
<pre>
var express = require('express');

const { createProxyMiddleware } = require('http-proxy-middleware');

const app = express();

// By default xfwd option is false
app.use('/proxy', createProxyMiddleware({ target: 'http://localhost:9000', changeOrigin: true})); // Compliant
app.listen(3000);
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
  Exposure</a> </li>
  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For">developer.mozilla.org</a> - X-Forwarded-For </li>
</ul>
